SQL injection provided initial access to Heartland's corporate network. Once inside, attackers planted malware on payment processing servers that intercepted card data in transit.
Heartland implemented end-to-end encryption for card data. CEO Robert Carr became an advocate for tokenization. The breach catalyzed PCI DSS compliance enforcement across the payments industry.
The Incident
In 2008, Heartland Payment Systems — the sixth-largest payment processor in the U.S. — disclosed that attackers had stolen approximately 130 million credit and debit card numbers from its systems. It was the largest payment card breach ever reported.
The Root Cause
The initial entry point was SQL injection. Attackers exploited a web-facing application that constructed SQL queries using string concatenation — the exact pattern documented in The Concatenated Query exhibit. This gave them access to Heartland's internal network.
Once inside, the attackers deployed custom malware on the payment processing servers. The malware intercepted card data as it traveled between the point-of-sale terminal and the payment processor — after decryption at Heartland's boundary but before re-encryption for the card network. The data was in plaintext in memory, and the malware captured it.
The Pattern
The breach illustrates how a single boundary collapse (SQL injection on a web form) can cascade into a catastrophic outcome. The SQL injection was not the breach — it was the door. The real damage came from what was accessible once that door was open.
The Aftermath
Heartland paid $140 million in fines and settlements. CEO Robert Carr became one of the most vocal advocates for end-to-end encryption in payment processing, arguing that if card data is never in plaintext on merchant systems, a network breach cannot expose it. The incident was a turning point for PCI DSS enforcement — what had been a compliance checkbox became an audited requirement.